fail2ban configuration in Fedora/RHEL
The configuration files in Fedora20 for
fail2ban are located in the /etc directory under
with further sub-directories for actions, filters and jails.
drwxr-xr-x. 2 root 4.0K May 16 2014 action.d drwxr-xr-x. 2 root 4.0K Mar 19 2014 fail2ban.d drwxr-xr-x. 2 root 4.0K May 16 2014 filter.d drwxr-xr-x. 2 root 4.0K Mar 19 2014 jail.d -rw-r--r--. 1 root 2.1K Mar 14 2014 fail2ban.conf -rw-r--r--. 1 root 33 Dec 10 00:16 fail2ban.local -rw-r--r--. 1 root 14K Dec 10 01:06 jail.conf -rw-r--r--. 1 root 16K Dec 10 00:54 jail.conf.rpmnew -rw-r--r--. 1 root 805 Dec 10 07:48 jail.local -rw-r--r--. 1 root 1.5K Mar 14 2014 paths-common.conf -rw-r--r--. 1 root 606 Mar 14 2014 paths-debian.conf -rw-r--r--. 1 root 649 Mar 14 2014 paths-fedora.conf -rw-r--r--. 1 root 1.2K Mar 14 2014 paths-freebsd.conf -rw-r--r--. 1 root 290 Mar 14 2014 paths-osx.conf
NOTE: In order to preserve your edits and customizations you should create separate
*.local files, as the normal
*.conf files (may) get overwritten during an upgrade. The
*.local files take precedence over the
*.conf files as the former are parsed after the latter. In
*.local files specify only the settings you would like to change and the rest of the configuration will then come from the corresponding
*.conf file which is parsed first.
If you’d like to be notified every time
fail2ban blocks an ipaddress from ssh access, for example, edit/create the
/etc/fail2ban/jail.local file and append the following lines:
[ssh-iptables] enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, dest=root, email@example.com] logpath = /var/log/secure maxretry = 5
[ssh-iptables] section wasn’t included in the jail.conf file by default (on my system, at least), I’ve added the entire section to the jail.local file; whereas, if it had been, I would’ve only added the lines I’d want to change.
All entries are separated by sections/headers enclosed in square brackets; the lines that follow then are applicable for that section until the next
enabled = true
“enabled” enables the jails.
By default all jails are disabled, and it should stay this way. Enable only those jails relevant to your setup in your .local or jail.d/*.conf files.
- true: jail will be enabled and log files will get monitored for changes
- false: jail is not enabled
filter = sshd
refers to the .conf file in /etc/fail2ban/filter.d/, which contains the rules (
regex expressions, etc) that fail2ban uses to find matches in the log files.
Each jail can be configured with only a single filter, but may have multiple actions. For those name items (e.g. action) that can accept multiple values (e.g. iptables, sendmail), specify the values separated by spaces, or in separate lines space-indented at the beginning of the line before the second value; therefore, mind the tabs at the beginning of the “sendmail…” line.
action = iptables[...] sendmail-whois[..]
By default, the name of an action is the action filename in
/etc/fail2ban/action.d/, and in the case of Python actions, the “.py” file extension is stripped. The action option refers to the steps that fail2ban will take to e.g. ban an IP address matching the options in the specified filter.
iptables[name=SSH, port=ssh, protocol=tcp]
name=, port=, and protocol= are the options in the /etc/fail2ban/action.d/iptables.conf file that you’d like to change or specify. Action files have two sections, Definition and Init. The “Init” section enables action-specific settings which can be overridden for a particular jail as options of the action’s specification in that jail.
With the recent versions of Fedora and RHEL the default firewall program is firewalld. The Fedora Wiki has some useful configuration options listed for fail2ban with firewalld, such as changing the default default banaction to firewallcmd-ipset. Simply add the following to the beginning of the DEFAULT section in your jail.local file:
banaction = firewallcmd-ipsetThere are also configuration files in the action.d subdirectory for firewallcmd-ipset.conf and firewallcmd-new.conf. Additional info can be viewed and trucked in this bug-report.